I can't read cookies in master or other pages

Question

I create some cookies in logon.aspx.cscodebehind thatc read and contain user info from DB with data reader .

HttpCookie UID = new HttpCookie("ID");
Response.Cookies["UID"].Value = Recordset[0].ToString();
Response.Cookies.Add(UID);
HttpCookie UName = new HttpCookie("Username");
Response.Cookies["Username"].Value = Recordset[3].ToString();
Response.Cookies.Add(UName);
HttpCookie Pass = new HttpCookie("Pass");
Response.Cookies["Pass"].Value = Recordset[4].ToString();
Response.Cookies.Add(Pass);
HttpCookie Admins = new HttpCookie("Admin");
Response.Cookies["Admin"].Value = Recordset[12].ToString();
Response.Cookies.Add(Admins);
HttpCookie Mails = new HttpCookie("Emails");
Response.Cookies["Emails"].Value = Recordset[9].ToString();
Response.Cookies.Add(Mails);
Response.Redirect("../default.aspx");

when i trace the code every thing is good and data hold by cookies.
Now when i read these cookies in master page or other content page, i can't.
in other worlds the cookies not recognize by their names(or keys)

if (Request.Cookies["Username"] !=null)
{
    lblWelcomeUser.Text = Server.HtmlEncode(Request.Cookies["Username"].Value);
    pnlUsersNavigation.Visible = true;
    LoginMenu.Visible = false;
    RegisterMenu.Visible = false;
    lblWelcomeUser.Text = Server.HtmlEncode(Request.Cookies["Username"].Value);
    //lblWelcomeUser.Text = Request.Cookies["Username"].Value.ToString();
    if (Request.Cookies["Admin"].Value.ToString()=="True")
    {
        lblWelcomeUser.Text = "WELCOME ADMIN";
        // Show Menu that is only for Admin
    }  

where is the problem in this code?

Answer 1

It appears that you might be overwriting the cookie with a good value, with a new empty cookie.

// new cookie created - empty
HttpCookie UName = new HttpCookie("Username");

// new cookie created with a value
Response.Cookies["Username"].Value = Recordset[3].ToString();

// overwrite new cookie with value with new empty cookie
Response.Cookies.Add(UName);

Create the cookie, set the value, then add the cookie to the response.

HttpCookie UName = new HttpCookie("Username");
UName.Value = Recordset[3].ToString();
Response.Cookies.Add(UName);

Also note that as Paul Grimshaw pointed out, you can add multiple values to the same cookie.

Download Fiddler to check request/response to ensure your cookies contain the correct values and such... http://fiddler2.com/get-fiddler

Also be careful about Man-in-the-middle attacks. Storing usernames and passwords in plain text is not such a good idea to begin with.

Answer 2

This doesn't look like a very secure way of securing access to your application. Try looking at ASP.NET membership.

Otherwise try setting an expiry date. Also, as this example shows, you may want to store all the above info in one cookie:

HttpCookie myCookie = new HttpCookie("UserSettings");
myCookie["UID"] =  Recordset[0].ToString();
myCookie["Username"] = Recordset[3].ToString();
//...etc...
myCookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(myCookie);

Also, from MSDN:

By default, cookies are shared by all pages that are in the same domain, but you can limit cookies to specific subfolders in a Web site by setting their Path property. To allow a cookie to be retrieved by all pages in all folders of your application, set it from a page that is in the root folder of your application and do not set the Path property. If you do not specify an expiration limit for the cookie, the cookie is not persisted to the client computer and it expires when the user session expires. Cookies can store values only of type String. You must convert any non-string values to strings before you can store them in a cookie. For many data types, calling the ToString method is sufficient. For more information, see the ToString method for the data type you wish to persist.